As you may see, compiler puts "PATH=/bin" to the program's .rodata
section which is placed to read only memory.
If later you'll modify this single "PATH=/bin" (comes from "nenv" now)
by
*equals = '\0';
...
*equals = '=';
core dump happens, which simulated in my simple a.c example by
nenv[0][4] = '\0';
Just run it and got code dump.

FreeBSD 6 will also dump if the length of the value was less than or
equal to "/bin" since it reuses this string. This will core dump:
nenv[0] = "PATH=/bin";
nenv[1] = NULL;
environ = nenv;
setenv("PATH", "/bin", 1);
Sean
--
scf_(_at_)_FreeBSD_(_dot_)_org
_______________________________________________
freebsd-current_(_at_)_freebsd_(_dot_)_org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe_(_at_)_freebsd_(_dot_)_org"